Two address resolving additions

1. Sub-domain addressing for users with _ (underscore) in their name by using – (hyphen) instead

Sub-domain addressing is a feature where if you have the username joecitizen@fastmail.fm, then email sent to anything@joecitizen.fastmail.fm will be transformed to joecitizen+anything@fastmail.fm and delivered to your account (it’s only available for Member level users and above).

This can be a very useful way of keeping track of email addresses that you hand out to different companies. For instance when signing up to a new web service, rather than giving out your regular email address, you give our companyname@joecitizen.fastmail.fm. If you start getting spam at companyname@joecitizen.fastmail.fm, you can just use the Define Rules screen to block that address.

One problem with this is that technically _’s (underscores) aren’t valid in hostnames/domains (the part to the right of the @ symbol). So if your account was joe_citizen@fastmail.fm, then anything@joe_citizen.fastmail.fm is not technically a valid email address. In many cases it will work, but for strict systems, they might reject the email.

There’s now a work around to this. Simply replace the _ (underscore) with a – (hyphen). Eg use anything@joe-citizen.fastmail.fm. You should only do this for sub-domain addresses where your username/alias has an _ in it. If you’re using the regular joe_citizen@fastmail.fm address, do not replace the _ (underscore) with a – (hypthen).

2. Suppressing + address propagation on alias target addresses by adding +#noplus# on the target

If you have the account joecitizen@fastmail.fm and then create an alias such as joe@fastmail.fm that targets joecitizen@fastmail.fm, then if you send to joe+anything@fastmail.fm, we propagate the +anything part to the target of the alias, so the final destination address it joecitizen+anything@fastmail.fm.

This is useful when the target is a fastmail account, because the +anything is used to do fuzz folder matching to automatically file the message into a folder.

However if the target address is an external non-fastmail account, then this propagation may actually be annoying since it may result in an invalid email address that you didn’t actually want to send to.

There’s now a way to stop the propagation of the + component of an address to the target side of an alias, you need to pre-add a special +#noplus# component to the target of the alias. For instance taking the case above, if the target of the joe@fastmail.fm alias was joecitizen+#noplus#@fastmail.fm, then sending to joe+anything@fastmail.fm would send the email to joecitizen@fastmail.fm, rather than joecitizen+anything@fastmail.fm.

Posted in Technical. Comments Off

Bots probing for XSS vulnerabilities

I’ve just noticed a large bunch of interesting requests in our logs. Basically they’re looking like this:

Our URL structure is a bit weird, and I’ve sanitized all the URLs to remove the malicious domains, but what’s happening is pretty clear. A bot is going to our home page, and then finding all the URLs on that page. Then it picks a URL and goes to that URL. Then for each parameter in the URL query string, it replaces the value with some a URI encoded domain & path part, and retries the URL again. Obviously it then looks in the generated HTML to see if that domain appears in the output.

Clearly this is some bot scraping through websites looking for any possible XSS attacks on that site.

These requests are coming from many different IPs, so it looks like it’s one of the botnets out there doing this.

Posted in Technical. Comments Off
Follow

Get every new post delivered to your Inbox.

Join 5,417 other followers